How to Choose Between Vulnerability Scanning vs Penetration Testing

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Even seasoned cybersecurity professionals confuse penetration tests with vulnerability scans. Both play an important role in the security practitioner’s toolkit, but they vary significantly in scope and expense. Here are answers to some common questions about the topic:

What is Penetration Testing?

During penetration testing, highly skilled cybersecurity professionals assume the role of attacker and try to break into an organization’s network. Just as an attacker would, they conduct reconnaissance on the network, seek out vulnerable systems and applications, and exploit those vulnerabilities to gain a foothold on the organization’s network.

The knowledge gained during these tests points out weaknesses that could be exploited by a real hacker and provides a roadmap for security remediation.

What Is a Vulnerability Scanner, and How Is it Used?

Automated vulnerability testing tools that probe all of the systems connected to a network and identify vulnerabilities. They run thousands of security checks against each system they discover. Most organizations run automated vulnerability scans at least weekly to quickly identify vulnerabilities for remediation.

Vulnerability Scans vs. Penetration Tests: What’s the Difference?

While vulnerability scans and penetration tests both discover hidden weaknesses in systems, applications, network devices and other network-connected components, vulnerability scanning is highly automated, while penetration testing is manual and time-consuming.

When Should You Perform a Penetration Test vs. a Vulnerability Scan?

Most organizations combine the approaches, running vulnerability scans frequently and supplementing them with less frequent penetration tests.

Penetration tests provide the most comprehensive evaluation of a system’s or application’s security by exposing them to real attackers using modern hacking tools. However, it’s impossible for penetration testers to check every system and every vulnerability; the tests are usually a deep dive into a small group of target systems.

Vulnerability scans, on the other hand, can run constantly and scan very large networks. They cast a wide net but don’t include the human precision and creativity involved in a penetration test.

What Types of Vulnerabilities Are Usually Discovered?

Common issues include outdated OS versions that are missing security patches and are vulnerable to exploit; application security flaws, such as SQL injection and cross-site scripting vulnerabilities; and insecure configuration settings, such as weak encryption ciphers and the use of default passwords.